T1406.002: Software Packing
Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Analyst context for executives and security teams
Software packing matters because it can make mobile app code harder for defenders, app-review teams, and responders to recognize or analyze. For Android and iOS environments, this is less about a single exploit and more about resilience against concealed payloads: packed executables may change file signatures and unpack in memory, weakening controls that rely mainly on static signatures.
Executive priority
Leaders should treat this as a mobile defense validation issue, especially where employees, customers, or regulated workflows depend on mobile apps. The decision question is whether mobile security, app vetting, SOC triage, and incident response can handle intentionally concealed code rather than only known file signatures. It is also relevant to compliance evidence: teams may need to show that mobile application risk review and malware detection are not limited to simple hash or signature matching.
Technical view
ATT&CK lists Software Packing as a mobile sub-technique of Obfuscated Files or Information for Android and iOS. No official detection text or tactics are supplied, but a related ATT&CK detection strategy, DET0644 Detection of Software Packing, is linked. SOC and detection teams should validate whether mobile app analysis workflows can identify packed, compressed, encrypted, or memory-unpacked executables, and whether alerts are correlated with broader obfuscation behavior under T1406. Relationship context shows multiple Android malware entries using this behavior, including Gustuff, Bread, S.O.V.A., BRATA, CherryBlos, and Crocodilus, so Android mobile malware analysis should receive particular validation attention while not excluding iOS because the technique platform includes iOS.
Likely telemetry
- Mobile application package metadata and file signatures
- Static mobile app analysis results, including indicators of compression, encryption, or known packer artifacts
- Dynamic or sandbox analysis observations where executable code is decompressed or revealed in memory
- Mobile threat defense or app-vetting alerts related to obfuscation, packing, or suspicious executable structure
- Incident response artifacts from suspect Android or iOS applications, including unpacked or runtime-observed code where available
Detection direction
- Do not rely solely on known hashes or static signatures, because packing can change executable signatures.
- Validate whether mobile app vetting can flag both known packer artifacts and custom packing that may not match known packer signatures.
- Use the DET0644 relationship as a pointer to detection strategy coverage, but confirm local detection logic, telemetry sources, and testing evidence because the official detection text is not supplied here.
- Tune triage to avoid treating all packing as automatically malicious; packing may require risk scoring with app provenance, requested permissions, runtime behavior, and other obfuscation indicators.
- Prioritize Android detection validation because all supplied software examples using this object are Android, while maintaining coverage expectations for iOS because ATT&CK lists both Android and iOS platforms.
Mitigation priorities
- Strengthen mobile app intake and vetting processes so packed or heavily obfuscated apps receive additional scrutiny before enterprise use.
- Ensure mobile malware analysis includes dynamic or runtime inspection where static analysis is insufficient.
- Maintain incident response procedures for collecting and analyzing suspect mobile apps and related device evidence.
- Use mobile security controls and policy governance to reduce exposure to untrusted or insufficiently reviewed applications.
- Document detection assumptions and gaps for audit and risk discussions, especially where mobile apps support financial, identity, or customer-facing workflows.
Analyst notes and limits
This technique is materially important because it targets a common defensive dependency: recognizable file signatures. The supplied relationships connect it to the broader mobile obfuscation technique T1406 and to several Android malware software objects, including banking, credential theft, billing fraud, and cryptocurrency-related malware descriptions. Those relationships support prioritizing mobile malware analysis readiness, but they do not prove current exposure in any specific environment.
The official ATT&CK object provides no detection text and no tactics. The linked detection strategy is named but not described in the supplied fields. Local conclusions require environment-specific evidence such as mobile app inventory, app-vetting process, mobile threat telemetry, sandbox capability, and incident response collection coverage.
Software Packing
Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406 | Obfuscated Files or Information | This object subtechnique of Obfuscated Files or Information. |
Groups, software, and campaigns
S0432: Bread
Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.[1]
S0406: Gustuff
S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
S1225: CherryBlos
CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e86fe6161ea6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1406.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.